Banish ‘comfortable inaction’

Most organizations need vendors to conduct business, but they’re often lax in investigating firms before they use their services. Here are tips for vetting your vendors and avoiding serious fraud problems.

A few years ago, we worked on a case that may have been the perfect storm of vendor-related fraud with bid-rigging, kickbacks and collusion. It all started with our client assuming it had all requisite controls in place to prevent vendor fraud but really not knowing who they were doing business with. Of course, what you don’t know can and will return to haunt you.

Our client worked with what they thought was a group of distinct and separate vendors. In reality, all vendors were under the same ownership. However, some insiders in our client’s firm knew of the nefarious ownership structure and allowed the vendor to submit three separate bids to facilitate the fraud.

Once our client awarded bids ostensibly to one of the vendors, the crooked business that owned the vendors rewarded the conspiring insiders by padding the invoices with inflated costs for items provided or submitting invoices for unrendered services. We found all these crimes via data analytics, review of invoices and link analysis.

After a three-year investigation with the U.S. attorney, IRS and FBI, 12 people were sent to prison and six internal employees were fired. Our client also banned 25 vendors from any future business after investigators found they failed to meet certain risk thresholds. For instance, they may have had common ownership with other vendors (as in the above case) or had officers on sanction lists and/or criminal records.

Lesson learned — Know thy vendor!

‘Comfortable inaction’

The May/June 2021 issue of Fraud Magazine contained an interesting article about employee background checks. (See: “The case of Little Bo Peep: The jailhouse employee,” by Theresa Hicks.) It’s amazing how many procedures we go through to discover as much as we can about prospective employees but how little we know about our vendors and their officers. Maybe we don’t want to know or don’t care — or worse — maybe we think “vendor fraud can’t happen here.” Fraud examiners would do well to concentrate on vendor screening — commonly referred to as vendor vetting or credentialing — to protect their reputations, stakeholders and the public. Vendor vetting is a comprehensive approach to identify and mitigate many of the top asset misappropriation risks organizations face.

President John F. Kennedy famously said, “There are risks and costs to action. But they are far less than the long-range risks of comfortable inaction.”

“Comfortable inaction” is the state in which the immediate implication of not doing something isn’t visible but in the long run takes a toll. Comfortable inaction (especially by leaders) can be a real plague to an organization’s growth and reputation. These include thoughts and statements like “I’m too busy.” “That will take too long.” “My inbox is full.” “We don’t have a budget for that.” Or, most painfully, “We’re doing enough; we don’t have that issue here.” Sound familiar?

Recent large-scale frauds, such as Wirecard and Luckin, reflect lack of proper oversight, comprehensive fraud risk assessments and basic internal controls, plus no monitoring tone at the top, mood in the middle (what middle management implements, follows or discusses) and buzz at the bottom (how line employees implement and talk about what management instructs them to do). Much like dieting, exercising and getting enough sleep, these are all things we know we should do but often don’t.

Deficient vendor vetting

Organizations routinely subject potential hires to detailed form-filling, interviews, drug testing and background checks. Banks, using traditional Know-Your-Customer (KYC) methods, ask potential business account holders for identification, photo IDs, articles of incorporation, business bylaws and secretary of state records, among other qualifiers.

However, organizations seldom ask potential vendors for more than basic requirements, such as a credit application or a new vendor form, or they run a Dun & Bradstreet report. Vetting vendors requires a more thorough approach. This includes (1) verifying U.S. federal tax identification numbers (FEIN) against IRS databases (2) identifying a vendor’s owners (3) determining if vendors and their officers are on sanctions lists as required by the U.S. Department of Health and Human Services’ Office of the Inspector General (OIG) and (4) checking if the officers have criminal backgrounds or undisclosed relationships.

During COVID-19, knowing your vendors has even become more important amid a spate of such frauds and warnings by various agencies. (See “U.S. Pays High Prices for Masks from Unproven Vendors in Coronavirus Fight,” by Mark Maremont, Austen Hufford and Tom McGinty, The Wall Street Journal, April 18, 2020; “SCAM ALERT: Websites Selling PPE Take Money, Don’t Deliver Gear,” NBC2 News, May 14, 2020; and “FBI Warns Health Care Professionals of Increased Potential for Fraudulent Sales of COVID-19 Related Medical Equipment,” FBI, March 27, 2020.)

And such cases continue to hit the headlines. In March 2021, Wells Fargo flagged a potential fraud in the payment file of the City of Albuquerque, New Mexico. The municipality soon discovered that a $1.9 million payment was slated to go to a fraudster pretending to be one of its vendors. Luckily, the scam was discovered before the money transfer took place after officials contacted the true vendor. The city’s office of inspector general placed the blame on certain employees and said the fraud nearly succeeded due to their negligence and complacency. It recommended that “policies and procedures should be enhanced to provide for a more manageable and trackable process.” [See “City nearly scammed out of $1.9M,” by Jessica Dyer, Albuquerque Journal, July 20, 2021, and “FY 2021 Reports & Memos (Investigation, Reviews, etc.) Final No. 21-0002-I - DFAS Attempted Fraud ACH Investigation,” City of Albuquerque.]

Vendor horror stories

Here are more real-life situations and issues organizations discovered when they were on-boarding new vendors or credentialing existing ones:

• Complex billing schemes, kickbacks, fictitious invoices and collusion among a group of seven vendors controlled by one individual.
• Pedophiles at a vendor wanting to do business in a children’s hospital.
• CEO of outsourced IT vendor charged with 18 counts of criminal activity, including first-degree murder, assault with a deadly weapon and kidnapping. The CEO served 10 years in prison.
• Vendor employed convicted rapists, drug dealers and grand-theft criminals.
• Vendors found to be supporting terrorist organizations.
• Vendors found on the U.S. Excluded Parties List System and OIG sanctions lists.
• Vendors listed in a vendor master file with no FEINs, no addresses and no phone numbers.
• A company’s internal accounting staff making deposits on behalf of a vendor they were using.
• The existence of “captive vendors,” which appear to provide goods and services to only one organization and are potentially a shell company.
• Vendors that had rounded total payments (e.g., $5,000, $10,000, $50,000, etc.). Costs related to materials, labor and taxes rarely result in round numbers and are typically a red flag for nefarious billing patterns.
• Vendors that had sequential invoices.
• Duplicate payments made to vendors.

Comprehensive solution

So, what should you do to protect your organization from these nefarious actors? The short answer: Vet your vendors. However, vetting or credentialing goes beyond verifying that vendors have proper training, certifications and licensure. Focus on protecting against external threats of engaging entities or individuals who are excluded parties, criminals or have conflicts of interests. Also pay attention to internal threats of asset misappropriation and collusion.

Here are some questions to ask during your comprehensive vendor vetting:

• How long has it been in business? (This has been especially important during the COVID-19 pandemic when newly formed vendors of personal protective equipment have tried to scam consumers.) To find the age of a business, review its filings with the secretary of state and Dun & Bradstreet reports, and confirm if the FEIN has been issued by the IRS or if it’s still pending.
• Does the vendor have a website?
• If it’s based in the U.S., is it registered with its secretary of state?
• Who are the owners? Review secretary of state filings, the vendor’s website, or use data aggregators like Thomson Reuters, TransUnion, LexisNexis and the like.
• Has the vendor or its owner been involved in any criminal activity? Use the same data aggregators above as well as search engines.
• If it’s a U.S. company, is its stated FEIN correct? Check the IRS website.
• Does the vendor have undisclosed familial or improper business relationships or conflicts of interest? Use data analytics on vendors in the vendor masterfile to search for anomalies, duplicates or missing data. Conduct a disbursement review of payments to look for anomalies or rounded total payments, which are highly unusual.
• Is the vendor or its officers on lists of sanctions and exclusions? If the company is in the U.S., check on Sam.gov. Health care professionals often use the Streamline Verify compliance portal. Per the OIG, knowingly or unknowingly doing business with a vendor or one of its officers listed on a sanctions list could impact Medicare and Medicaid reimbursement.
• Does the vendor have access to protected health information or personally identifiable information? If so, what are their policies and procedures to protect that data?
• Does vendor credentialing software (such as Vetted®) surface any problems?
• Is the vendor in compliance with your security policies? It’s important that companies know how vendors who have access to their data protect themselves against data breaches.

Uncomfortable (but productive) action

The head-in-the-sand, comfortable-inaction approach is a bad strategy that introduces unnecessary risk. What you don’t know can and often does come back to hurt you. Think about how you’d answer questions from your boss or a board member about your due diligence process for vendor onboarding if you experienced a vendor-related fraud.

I’m here to support our CFE community. Please contact me if you have any questions about vendor credentialing, data analytics, vendor background checks and screening. You can also provide the details of possible vendor-related billing or fraud schemes; we’ve seen many situations. I will do my best to assist.

Joseph M. Palmar, CFE, CPA/CFF, is chief executive officer of Palmar Forensics. Contact him at jpalmar@palmarforensics.com.